+++ /dev/null
-import { Injectable } from '@angular/core'
-import {
- ActivatedRouteSnapshot,
- CanActivateChild,
- RouterStateSnapshot,
- CanActivate,
- Router
-} from '@angular/router'
-
-import { AuthService } from '../core'
-
-@Injectable()
-export class AdminGuard implements CanActivate, CanActivateChild {
-
- constructor (
- private router: Router,
- private auth: AuthService
- ) {}
-
- canActivate (route: ActivatedRouteSnapshot, state: RouterStateSnapshot) {
- if (this.auth.isAdmin() === true) return true
-
- this.router.navigate([ '/login' ])
- return false
- }
-
- canActivateChild (route: ActivatedRouteSnapshot, state: RouterStateSnapshot) {
- return this.canActivate(route, state)
- }
-}
import { RequestSchedulersRoutes } from './request-schedulers'
import { UsersRoutes } from './users'
import { VideoAbusesRoutes } from './video-abuses'
-import { AdminGuard } from './admin-guard.service'
import { VideoBlacklistRoutes } from './video-blacklist'
const adminRoutes: Routes = [
{
path: '',
component: AdminComponent,
- canActivate: [ MetaGuard, AdminGuard ],
- canActivateChild: [ MetaGuard, AdminGuard ],
+ canActivate: [ MetaGuard ],
+ canActivateChild: [ MetaGuard ],
children: [
{
path: '',
import { VideoAbusesComponent, VideoAbuseListComponent } from './video-abuses'
import { VideoBlacklistComponent, VideoBlacklistListComponent } from './video-blacklist'
import { SharedModule } from '../shared'
-import { AdminGuard } from './admin-guard.service'
@NgModule({
imports: [
providers: [
FriendService,
RequestSchedulersService,
- UserService,
- AdminGuard
+ UserService
]
})
export class AdminModule { }
import { Routes } from '@angular/router'
+import { UserRightGuard } from '../../core'
import { FriendsComponent } from './friends.component'
import { FriendAddComponent } from './friend-add'
import { FriendListComponent } from './friend-list'
+import { UserRight } from '../../../../../shared'
export const FriendsRoutes: Routes = [
{
path: 'friends',
component: FriendsComponent,
+ canActivate: [ UserRightGuard ],
+ data: {
+ userRight: UserRight.MANAGE_PODS
+ },
children: [
{
path: '',
import { Routes } from '@angular/router'
+import { UserRightGuard } from '../../core'
+import { UserRight } from '../../../../../shared'
import { RequestSchedulersComponent } from './request-schedulers.component'
import { RequestSchedulersStatsComponent } from './request-schedulers-stats'
{
path: 'requests',
component: RequestSchedulersComponent,
+ canActivate: [ UserRightGuard ],
+ data: {
+ userRight: UserRight.MANAGE_REQUEST_SCHEDULERS
+ },
children: [
{
path: '',
USER_USERNAME,
USER_EMAIL,
USER_PASSWORD,
- USER_VIDEO_QUOTA
+ USER_VIDEO_QUOTA,
+ USER_ROLE
} from '../../../shared'
import { ServerService } from '../../../core'
-import { UserCreate } from '../../../../../../shared'
+import { UserCreate, UserRole } from '../../../../../../shared'
import { UserEdit } from './user-edit'
@Component({
'username': '',
'email': '',
'password': '',
+ 'role': '',
'videoQuota': ''
}
validationMessages = {
'username': USER_USERNAME.MESSAGES,
'email': USER_EMAIL.MESSAGES,
'password': USER_PASSWORD.MESSAGES,
+ 'role': USER_ROLE.MESSAGES,
'videoQuota': USER_VIDEO_QUOTA.MESSAGES
}
username: [ '', USER_USERNAME.VALIDATORS ],
email: [ '', USER_EMAIL.VALIDATORS ],
password: [ '', USER_PASSWORD.VALIDATORS ],
+ role: [ UserRole.USER, USER_ROLE.VALIDATORS ],
videoQuota: [ '-1', USER_VIDEO_QUOTA.VALIDATORS ]
})
</div>
</div>
+ <div class="form-group">
+ <label for="role">Role</label>
+ <select class="form-control" id="role" formControlName="role">
+ <option *ngFor="let role of roles" [value]="role.value">
+ {{ role.label }}
+ </option>
+ </select>
+
+ <div *ngIf="formErrors.role" class="alert alert-danger">
+ {{ formErrors.role }}
+ </div>
+ </div>
+
<div class="form-group">
<label for="videoQuota">Video quota</label>
<select class="form-control" id="videoQuota" formControlName="videoQuota">
import { ServerService } from '../../../core'
import { FormReactive } from '../../../shared'
-import { VideoResolution } from '../../../../../../shared/models/videos/video-resolution.enum'
+import { USER_ROLE_LABELS, VideoResolution } from '../../../../../../shared'
export abstract class UserEdit extends FormReactive {
videoQuotaOptions = [
{ value: 50 * 1024 * 1024 * 1024, label: '50GB' }
]
+ roles = Object.keys(USER_ROLE_LABELS).map(key => ({ value: key, label: USER_ROLE_LABELS[key] }))
+
protected abstract serverService: ServerService
abstract isCreation (): boolean
abstract getFormButtonTitle (): string
import { NotificationsService } from 'angular2-notifications'
import { UserService } from '../shared'
-import { USER_EMAIL, USER_VIDEO_QUOTA } from '../../../shared'
+import {
+ USER_EMAIL,
+ USER_VIDEO_QUOTA,
+ USER_ROLE,
+ User
+} from '../../../shared'
import { ServerService } from '../../../core'
-import { UserUpdate } from '../../../../../../shared/models/users/user-update.model'
-import { User } from '../../../shared/users/user.model'
import { UserEdit } from './user-edit'
+import { UserUpdate, UserRole } from '../../../../../../shared'
@Component({
selector: 'my-user-update',
form: FormGroup
formErrors = {
'email': '',
+ 'role': '',
'videoQuota': ''
}
validationMessages = {
'email': USER_EMAIL.MESSAGES,
+ 'role': USER_ROLE.MESSAGES,
'videoQuota': USER_VIDEO_QUOTA.MESSAGES
}
buildForm () {
this.form = this.formBuilder.group({
email: [ '', USER_EMAIL.VALIDATORS ],
+ role: [ '', USER_ROLE.VALIDATORS ],
videoQuota: [ '-1', USER_VIDEO_QUOTA.VALIDATORS ]
})
this.form.patchValue({
email: userJson.email,
+ role: userJson.role,
videoQuota: userJson.videoQuota
})
}
<p-column field="username" header="Username" [sortable]="true"></p-column>
<p-column field="email" header="Email"></p-column>
<p-column field="videoQuota" header="Video quota"></p-column>
- <p-column field="role" header="Role"></p-column>
+ <p-column field="roleLabel" header="Role"></p-column>
<p-column field="createdAt" header="Created date" [sortable]="true"></p-column>
<p-column header="Edit" styleClass="action-cell">
<ng-template pTemplate="body" let-user="rowData">
import { Routes } from '@angular/router'
+import { UserRightGuard } from '../../core'
+import { UserRight } from '../../../../../shared'
import { UsersComponent } from './users.component'
import { UserAddComponent, UserUpdateComponent } from './user-edit'
import { UserListComponent } from './user-list'
{
path: 'users',
component: UsersComponent,
+ canActivate: [ UserRightGuard ],
+ data: {
+ userRight: UserRight.MANAGE_USERS
+ },
children: [
{
path: '',
import { Routes } from '@angular/router'
+import { UserRightGuard } from '../../core'
+import { UserRight } from '../../../../../shared'
import { VideoAbusesComponent } from './video-abuses.component'
import { VideoAbuseListComponent } from './video-abuse-list'
export const VideoAbusesRoutes: Routes = [
{
path: 'video-abuses',
- component: VideoAbusesComponent
- ,
+ component: VideoAbusesComponent,
+ canActivate: [ UserRightGuard ],
+ data: {
+ userRight: UserRight.MANAGE_VIDEO_ABUSES
+ },
children: [
{
path: '',
import { Routes } from '@angular/router'
+import { UserRightGuard } from '../../core'
+import { UserRight } from '../../../../../shared'
import { VideoBlacklistComponent } from './video-blacklist.component'
import { VideoBlacklistListComponent } from './video-blacklist-list'
{
path: 'video-blacklist',
component: VideoBlacklistComponent,
+ canActivate: [ UserRightGuard ],
+ data: {
+ userRight: UserRight.MANAGE_VIDEO_BLACKLIST
+ },
children: [
{
path: '',
// Do not use the barrel (dependency loop)
-import { UserRole } from '../../../../../shared/models/users/user-role.type'
+import { hasUserRight, UserRole } from '../../../../../shared/models/users/user-role'
import { User, UserConstructorHash } from '../../shared/users/user.model'
+import { UserRight } from '../../../../../shared/models/users/user-right.enum'
export type TokenOptions = {
accessToken: string
id: parseInt(localStorage.getItem(this.KEYS.ID), 10),
username: localStorage.getItem(this.KEYS.USERNAME),
email: localStorage.getItem(this.KEYS.EMAIL),
- role: localStorage.getItem(this.KEYS.ROLE) as UserRole,
+ role: parseInt(localStorage.getItem(this.KEYS.ROLE), 10) as UserRole,
displayNSFW: localStorage.getItem(this.KEYS.DISPLAY_NSFW) === 'true'
},
Tokens.load()
this.tokens.refreshToken = refreshToken
}
+ hasRight(right: UserRight) {
+ return hasUserRight(this.role, right)
+ }
+
save () {
localStorage.setItem(AuthUser.KEYS.ID, this.id.toString())
localStorage.setItem(AuthUser.KEYS.USERNAME, this.username)
localStorage.setItem(AuthUser.KEYS.EMAIL, this.email)
- localStorage.setItem(AuthUser.KEYS.ROLE, this.role)
+ localStorage.setItem(AuthUser.KEYS.ROLE, this.role.toString())
localStorage.setItem(AuthUser.KEYS.DISPLAY_NSFW, JSON.stringify(this.displayNSFW))
this.tokens.save()
}
// Do not use the barrel (dependency loop)
import { RestExtractor } from '../../shared/rest'
import { UserLogin } from '../../../../../shared/models/users/user-login.model'
-import { User, UserConstructorHash } from '../../shared/users/user.model'
+import { UserConstructorHash } from '../../shared/users/user.model'
interface UserLoginWithUsername extends UserLogin {
access_token: string
return this.user
}
- isAdmin () {
- if (this.user === null) return false
-
- return this.user.isAdmin()
- }
-
isLoggedIn () {
return !!this.getAccessToken()
}
export * from './auth-status.model'
export * from './auth-user.model'
export * from './auth.service'
-export * from './login-guard.service'
+export * from '../routing/login-guard.service'
+++ /dev/null
-import { Injectable } from '@angular/core'
-import {
- ActivatedRouteSnapshot,
- CanActivateChild,
- RouterStateSnapshot,
- CanActivate,
- Router
-} from '@angular/router'
-
-import { AuthService } from './auth.service'
-
-@Injectable()
-export class LoginGuard implements CanActivate, CanActivateChild {
-
- constructor (
- private router: Router,
- private auth: AuthService
- ) {}
-
- canActivate (route: ActivatedRouteSnapshot, state: RouterStateSnapshot) {
- if (this.auth.isLoggedIn() === true) return true
-
- this.router.navigate([ '/login' ])
- return false
- }
-
- canActivateChild (route: ActivatedRouteSnapshot, state: RouterStateSnapshot) {
- return this.canActivate(route, state)
- }
-}
import { SimpleNotificationsModule } from 'angular2-notifications'
import { ModalModule } from 'ngx-bootstrap/modal'
-import { AuthService, LoginGuard } from './auth'
+import { AuthService } from './auth'
+import { LoginGuard, UserRightGuard } from './routing'
import { ServerService } from './server'
import { ConfirmComponent, ConfirmService } from './confirm'
import { MenuComponent, MenuAdminComponent } from './menu'
AuthService,
ConfirmService,
ServerService,
- LoginGuard
+ LoginGuard,
+ UserRightGuard
]
})
export class CoreModule {
<menu>
<div class="panel-block">
- <a routerLink="/admin/users/list" routerLinkActive="active">
+ <a *ngIf="hasUsersRight()" routerLink="/admin/users" routerLinkActive="active">
<span class="hidden-xs glyphicon glyphicon-user"></span>
List users
</a>
- <a routerLink="/admin/friends/list" routerLinkActive="active">
+ <a *ngIf="hasFriendsRight()" routerLink="/admin/friends" routerLinkActive="active">
<span class="hidden-xs glyphicon glyphicon-cloud"></span>
List friends
</a>
- <a routerLink="/admin/requests/stats" routerLinkActive="active">
+ <a *ngIf="hasRequestsStatRight()" routerLink="/admin/requests/stats" routerLinkActive="active">
<span class="hidden-xs glyphicon glyphicon-stats"></span>
Request stats
</a>
- <a routerLink="/admin/video-abuses/list" routerLinkActive="active">
+ <a *ngIf="hasVideoAbusesRight()" routerLink="/admin/video-abuses" routerLinkActive="active">
<span class="hidden-xs glyphicon glyphicon-alert"></span>
Video abuses
</a>
- <a routerLink="/admin/video-blacklist/list" routerLinkActive="active">
+ <a *ngIf="hasVideoBlacklistRight()" routerLink="/admin/video-blacklist" routerLinkActive="active">
<span class="hidden-xs glyphicon glyphicon-eye-close"></span>
Video blacklist
</a>
import { Component } from '@angular/core'
+import { AuthService } from '../auth/auth.service'
+import { UserRight } from '../../../../../shared'
+
@Component({
selector: 'my-menu-admin',
templateUrl: './menu-admin.component.html',
styleUrls: [ './menu.component.scss' ]
})
-export class MenuAdminComponent { }
+export class MenuAdminComponent {
+ constructor (private auth: AuthService) {}
+
+ hasUsersRight () {
+ return this.auth.getUser().hasRight(UserRight.MANAGE_USERS)
+ }
+
+ hasFriendsRight () {
+ return this.auth.getUser().hasRight(UserRight.MANAGE_PODS)
+ }
+
+ hasRequestsStatRight () {
+ return this.auth.getUser().hasRight(UserRight.MANAGE_REQUEST_SCHEDULERS)
+ }
+
+ hasVideoAbusesRight () {
+ return this.auth.getUser().hasRight(UserRight.MANAGE_VIDEO_ABUSES)
+ }
+
+ hasVideoBlacklistRight () {
+ return this.auth.getUser().hasRight(UserRight.MANAGE_VIDEO_BLACKLIST)
+ }
+}
</a>
</div>
- <div *ngIf="isUserAdmin()" class="panel-block">
+ <div *ngIf="userHasAdminAccess" class="panel-block">
<div class="block-title">Other</div>
- <a routerLink="/admin" routerLinkActive="active">
+ <a [routerLink]="getFirstAdminRouteAvailable()" routerLinkActive="active">
<span class="hidden-xs glyphicon glyphicon-cog"></span>
Administration
</a>
import { AuthService, AuthStatus } from '../auth'
import { ServerService } from '../server'
+import { UserRight } from '../../../../../shared/models/users/user-right.enum'
@Component({
selector: 'my-menu',
})
export class MenuComponent implements OnInit {
isLoggedIn: boolean
+ userHasAdminAccess = false
+
+ private routesPerRight = {
+ [UserRight.MANAGE_USERS]: '/admin/users',
+ [UserRight.MANAGE_PODS]: '/admin/friends',
+ [UserRight.MANAGE_REQUEST_SCHEDULERS]: '/admin/requests/stats',
+ [UserRight.MANAGE_VIDEO_ABUSES]: '/admin/video-abuses',
+ [UserRight.MANAGE_VIDEO_BLACKLIST]: '/admin/video-blacklist'
+ }
constructor (
private authService: AuthService,
ngOnInit () {
this.isLoggedIn = this.authService.isLoggedIn()
+ this.computeIsUserHasAdminAccess()
this.authService.loginChangedSource.subscribe(
status => {
if (status === AuthStatus.LoggedIn) {
this.isLoggedIn = true
+ this.computeIsUserHasAdminAccess()
console.log('Logged in.')
} else if (status === AuthStatus.LoggedOut) {
this.isLoggedIn = false
+ this.computeIsUserHasAdminAccess()
console.log('Logged out.')
} else {
console.error('Unknown auth status: ' + status)
return this.serverService.getConfig().signup.allowed
}
- isUserAdmin () {
- return this.authService.isAdmin()
+ getFirstAdminRightAvailable () {
+ const user = this.authService.getUser()
+ if (!user) return undefined
+
+ const adminRights = [
+ UserRight.MANAGE_USERS,
+ UserRight.MANAGE_PODS,
+ UserRight.MANAGE_REQUEST_SCHEDULERS,
+ UserRight.MANAGE_VIDEO_ABUSES,
+ UserRight.MANAGE_VIDEO_BLACKLIST
+ ]
+
+ for (const adminRight of adminRights) {
+ if (user.hasRight(adminRight)) {
+ return adminRight
+ }
+ }
+
+ return undefined
+ }
+
+ getFirstAdminRouteAvailable () {
+ const right = this.getFirstAdminRightAvailable()
+
+ return this.routesPerRight[right]
}
logout () {
// Redirect to home page
this.router.navigate(['/videos/list'])
}
+
+ private computeIsUserHasAdminAccess () {
+ const right = this.getFirstAdminRightAvailable()
+
+ this.userHasAdminAccess = right !== undefined
+ }
}
+export * from './login-guard.service'
+export * from './user-right-guard.service'
export * from './preload-selected-modules-list'
--- /dev/null
+import { Injectable } from '@angular/core'
+import {
+ ActivatedRouteSnapshot,
+ CanActivateChild,
+ RouterStateSnapshot,
+ CanActivate,
+ Router
+} from '@angular/router'
+
+import { AuthService } from '../auth/auth.service'
+
+@Injectable()
+export class LoginGuard implements CanActivate, CanActivateChild {
+
+ constructor (
+ private router: Router,
+ private auth: AuthService
+ ) {}
+
+ canActivate (route: ActivatedRouteSnapshot, state: RouterStateSnapshot) {
+ if (this.auth.isLoggedIn() === true) return true
+
+ this.router.navigate([ '/login' ])
+ return false
+ }
+
+ canActivateChild (route: ActivatedRouteSnapshot, state: RouterStateSnapshot) {
+ return this.canActivate(route, state)
+ }
+}
--- /dev/null
+import { Injectable } from '@angular/core'
+import {
+ ActivatedRouteSnapshot,
+ CanActivateChild,
+ RouterStateSnapshot,
+ CanActivate,
+ Router
+} from '@angular/router'
+
+import { AuthService } from '../auth'
+
+@Injectable()
+export class UserRightGuard implements CanActivate, CanActivateChild {
+
+ constructor (
+ private router: Router,
+ private auth: AuthService
+ ) {}
+
+ canActivate (route: ActivatedRouteSnapshot, state: RouterStateSnapshot) {
+ const user = this.auth.getUser()
+ if (user) {
+ const neededUserRight = route.data.userRight
+
+ if (user.hasRight(neededUserRight)) return true
+ }
+
+ this.router.navigate([ '/login' ])
+ return false
+ }
+
+ canActivateChild (route: ActivatedRouteSnapshot, state: RouterStateSnapshot) {
+ return this.canActivate(route, state)
+ }
+}
'min': 'Quota must be greater than -1.'
}
}
+export const USER_ROLE = {
+ VALIDATORS: [ Validators.required ],
+ MESSAGES: {
+ 'required': 'User role is required.',
+ }
+}
import {
User as UserServerModel,
UserRole,
- VideoChannel
+ VideoChannel,
+ UserRight,
+ hasUserRight
} from '../../../../../shared'
export type UserConstructorHash = {
}
}
- isAdmin () {
- return this.role === 'admin'
+ hasRight (right: UserRight) {
+ return hasUserRight(this.role, right)
}
}
import { Video } from './video.model'
+import { AuthUser } from '../../core'
import {
VideoDetails as VideoDetailsServerModel,
VideoFile,
VideoChannel,
- VideoResolution
+ VideoResolution,
+ UserRight
} from '../../../../../shared'
export class VideoDetails extends Video implements VideoDetailsServerModel {
return betterResolutionFile.magnetUri
}
- isRemovableBy (user) {
- return user && this.isLocal === true && (this.author === user.username || user.isAdmin() === true)
+ isRemovableBy (user: AuthUser) {
+ return user && this.isLocal === true && (this.author === user.username || user.hasRight(UserRight.REMOVE_ANY_VIDEO))
}
- isBlackistableBy (user) {
- return user && user.isAdmin() === true && this.isLocal === false
+ isBlackistableBy (user: AuthUser) {
+ return user && user.hasRight(UserRight.MANAGE_VIDEO_BLACKLIST) === true && this.isLocal === false
}
- isUpdatableBy (user) {
+ isUpdatableBy (user: AuthUser) {
return user && this.isLocal === true && user.username === this.author
}
}
VideoService,
VideoPagination
} from '../shared'
-import { Search, SearchField, SearchService, User} from '../../shared'
+import { Search, SearchField, SearchService, User } from '../../shared'
@Component({
selector: 'my-videos-list',
} from '../../lib'
import {
authenticate,
- ensureIsAdmin,
+ ensureUserHasRight,
makeFriendsValidator,
setBodyHostsPort,
podRemoveValidator,
asyncMiddleware
} from '../../middlewares'
import { PodInstance } from '../../models'
+import { UserRight } from '../../../shared'
const podsRouter = express.Router()
)
podsRouter.post('/make-friends',
authenticate,
- ensureIsAdmin,
+ ensureUserHasRight(UserRight.MANAGE_PODS),
makeFriendsValidator,
setBodyHostsPort,
asyncMiddleware(makeFriendsController)
)
podsRouter.get('/quit-friends',
authenticate,
- ensureIsAdmin,
+ ensureUserHasRight(UserRight.MANAGE_PODS),
asyncMiddleware(quitFriendsController)
)
podsRouter.delete('/:id',
authenticate,
- ensureIsAdmin,
+ ensureUserHasRight(UserRight.MANAGE_PODS),
podRemoveValidator,
asyncMiddleware(removeFriendController)
)
getRequestVideoQaduScheduler,
getRequestVideoEventScheduler
} from '../../lib'
-import { authenticate, ensureIsAdmin, asyncMiddleware } from '../../middlewares'
-import { RequestSchedulerStatsAttributes } from '../../../shared'
+import { authenticate, ensureUserHasRight, asyncMiddleware } from '../../middlewares'
+import { RequestSchedulerStatsAttributes, UserRight } from '../../../shared'
const requestSchedulerRouter = express.Router()
requestSchedulerRouter.get('/stats',
authenticate,
- ensureIsAdmin,
+ ensureUserHasRight(UserRight.MANAGE_REQUEST_SCHEDULERS),
asyncMiddleware(getRequestSchedulersStats)
)
import * as express from 'express'
-import { database as db } from '../../initializers/database'
-import { USER_ROLES, CONFIG } from '../../initializers'
+import { database as db, CONFIG } from '../../initializers'
import { logger, getFormattedObjects, retryTransactionWrapper } from '../../helpers'
import {
authenticate,
- ensureIsAdmin,
+ ensureUserHasRight,
ensureUserRegistrationAllowed,
usersAddValidator,
usersRegisterValidator,
UserVideoRate as FormattedUserVideoRate,
UserCreate,
UserUpdate,
- UserUpdateMe
+ UserUpdateMe,
+ UserRole,
+ UserRight
} from '../../../shared'
import { createUserAuthorAndChannel } from '../../lib'
import { UserInstance } from '../../models'
usersRouter.post('/',
authenticate,
- ensureIsAdmin,
+ ensureUserHasRight(UserRight.MANAGE_USERS),
usersAddValidator,
createUserRetryWrapper
)
usersRouter.put('/:id',
authenticate,
- ensureIsAdmin,
+ ensureUserHasRight(UserRight.MANAGE_USERS),
usersUpdateValidator,
asyncMiddleware(updateUser)
)
usersRouter.delete('/:id',
authenticate,
- ensureIsAdmin,
+ ensureUserHasRight(UserRight.MANAGE_USERS),
usersRemoveValidator,
asyncMiddleware(removeUser)
)
password: body.password,
email: body.email,
displayNSFW: false,
- role: USER_ROLES.USER,
+ role: body.role,
videoQuota: body.videoQuota
})
password: body.password,
email: body.email,
displayNSFW: false,
- role: USER_ROLES.USER,
+ role: UserRole.USER,
videoQuota: CONFIG.USER.VIDEO_QUOTA
})
if (body.email !== undefined) user.email = body.email
if (body.videoQuota !== undefined) user.videoQuota = body.videoQuota
+ if (body.role !== undefined) user.role = body.role
await user.save()
} from '../../../helpers'
import {
authenticate,
- ensureIsAdmin,
+ ensureUserHasRight,
paginationValidator,
videoAbuseReportValidator,
videoAbusesSortValidator,
asyncMiddleware
} from '../../../middlewares'
import { VideoInstance } from '../../../models'
-import { VideoAbuseCreate } from '../../../../shared'
+import { VideoAbuseCreate, UserRight } from '../../../../shared'
const abuseVideoRouter = express.Router()
abuseVideoRouter.get('/abuse',
authenticate,
- ensureIsAdmin,
+ ensureUserHasRight(UserRight.MANAGE_VIDEO_ABUSES),
paginationValidator,
videoAbusesSortValidator,
setVideoAbusesSort,
import { logger, getFormattedObjects } from '../../../helpers'
import {
authenticate,
- ensureIsAdmin,
+ ensureUserHasRight,
videosBlacklistAddValidator,
videosBlacklistRemoveValidator,
paginationValidator,
asyncMiddleware
} from '../../../middlewares'
import { BlacklistedVideoInstance } from '../../../models'
-import { BlacklistedVideo } from '../../../../shared'
+import { BlacklistedVideo, UserRight } from '../../../../shared'
const blacklistRouter = express.Router()
blacklistRouter.post('/:videoId/blacklist',
authenticate,
- ensureIsAdmin,
+ ensureUserHasRight(UserRight.MANAGE_VIDEO_BLACKLIST),
videosBlacklistAddValidator,
asyncMiddleware(addVideoToBlacklist)
)
blacklistRouter.get('/blacklist',
authenticate,
- ensureIsAdmin,
+ ensureUserHasRight(UserRight.MANAGE_VIDEO_BLACKLIST),
paginationValidator,
blacklistSortValidator,
setBlacklistSort,
blacklistRouter.delete('/:videoId/blacklist',
authenticate,
- ensureIsAdmin,
+ ensureUserHasRight(UserRight.MANAGE_VIDEO_BLACKLIST),
videosBlacklistRemoveValidator,
asyncMiddleware(removeVideoFromBlacklistController)
)
-import { values } from 'lodash'
import * as validator from 'validator'
import 'express-validator'
import { exists } from './misc'
-import { CONSTRAINTS_FIELDS, USER_ROLES } from '../../initializers'
+import { CONSTRAINTS_FIELDS } from '../../initializers'
import { UserRole } from '../../../shared'
const USERS_CONSTRAINTS_FIELDS = CONSTRAINTS_FIELDS.USERS
return validator.isLength(value, USERS_CONSTRAINTS_FIELDS.PASSWORD)
}
-function isUserRoleValid (value: string) {
- return values(USER_ROLES).indexOf(value as UserRole) !== -1
-}
-
function isUserVideoQuotaValid (value: string) {
return exists(value) && validator.isInt(value + '', USERS_CONSTRAINTS_FIELDS.VIDEO_QUOTA)
}
return typeof value === 'boolean' || (typeof value === 'string' && validator.isBoolean(value))
}
+function isUserRoleValid (value: any) {
+ return exists(value) && validator.isInt('' + value) && UserRole[value] !== undefined
+}
+
// ---------------------------------------------------------------------------
export {
import { root, isTestInstance } from '../helpers/core-utils'
import {
- UserRole,
VideoRateType,
RequestEndpoint,
RequestVideoEventType,
// ---------------------------------------------------------------------------
-const LAST_MIGRATION_VERSION = 80
+const LAST_MIGRATION_VERSION = 85
// ---------------------------------------------------------------------------
}
// How many maximum jobs we fetch from the database per cycle
const JOBS_FETCH_LIMIT_PER_CYCLE = 10
-const JOBS_CONCURRENCY = 1
// 1 minutes
let JOBS_FETCHING_INTERVAL = 60000
// ---------------------------------------------------------------------------
-const USER_ROLES: { [ id: string ]: UserRole } = {
- ADMIN: 'admin',
- USER: 'user'
-}
-
-// ---------------------------------------------------------------------------
-
const OPENGRAPH_AND_OEMBED_COMMENT = '<!-- open graph and oembed tags -->'
// ---------------------------------------------------------------------------
EMBED_SIZE,
FRIEND_SCORE,
JOB_STATES,
- JOBS_CONCURRENCY,
JOBS_FETCH_LIMIT_PER_CYCLE,
JOBS_FETCHING_INTERVAL,
LAST_MIGRATION_VERSION,
STATIC_MAX_AGE,
STATIC_PATHS,
THUMBNAILS_SIZE,
- USER_ROLES,
VIDEO_CATEGORIES,
VIDEO_LANGUAGES,
VIDEO_LICENCES,
import * as Bluebird from 'bluebird'
import { database as db } from './database'
-import { USER_ROLES, CONFIG, LAST_MIGRATION_VERSION, CACHE } from './constants'
+import { CONFIG, LAST_MIGRATION_VERSION, CACHE } from './constants'
import { clientsExist, usersExist } from './checker'
import { logger, createCertsIfNotExist, mkdirpPromise, rimrafPromise } from '../helpers'
import { createUserAuthorAndChannel } from '../lib'
+import { UserRole } from '../../shared'
async function installApplication () {
await db.sequelize.sync()
logger.info('Creating the administrator.')
const username = 'root'
- const role = USER_ROLES.ADMIN
+ const role = UserRole.ADMINISTRATOR
const email = CONFIG.ADMIN.EMAIL
let validatePassword = true
let password = ''
--- /dev/null
+import * as Sequelize from 'sequelize'
+import * as uuidv4 from 'uuid/v4'
+
+async function up (utils: {
+ transaction: Sequelize.Transaction,
+ queryInterface: Sequelize.QueryInterface,
+ sequelize: Sequelize.Sequelize,
+ db: any
+}): Promise<void> {
+ const q = utils.queryInterface
+
+ await q.renameColumn('Users', 'role', 'oldRole')
+
+ const data = {
+ type: Sequelize.INTEGER,
+ allowNull: true
+ }
+ await q.addColumn('Users', 'role', data)
+
+ let query = 'UPDATE "Users" SET "role" = 0 WHERE "oldRole" = \'admin\''
+ await utils.sequelize.query(query)
+
+ query = 'UPDATE "Users" SET "role" = 2 WHERE "oldRole" = \'user\''
+ await utils.sequelize.query(query)
+
+ data.allowNull = false
+ await q.changeColumn('Users', 'role', data)
+
+ await q.removeColumn('Users', 'oldRole')
+}
+
+function down (options) {
+ throw new Error('Not implemented.')
+}
+
+export {
+ up,
+ down
+}
+++ /dev/null
-import 'express-validator'
-import * as express from 'express'
-
-import { logger } from '../helpers'
-
-function ensureIsAdmin (req: express.Request, res: express.Response, next: express.NextFunction) {
- const user = res.locals.oauth.token.user
- if (user.isAdmin() === false) {
- logger.info('A non admin user is trying to access to an admin content.')
- return res.sendStatus(403)
- }
-
- return next()
-}
-
-// ---------------------------------------------------------------------------
-
-export {
- ensureIsAdmin
-}
export * from './validators'
-export * from './admin'
export * from './async'
export * from './oauth'
export * from './pagination'
export * from './search'
export * from './secure'
export * from './sort'
+export * from './user-right'
--- /dev/null
+import 'express-validator'
+import * as express from 'express'
+
+import { UserInstance } from '../models'
+import { UserRight } from '../../shared'
+import { logger } from '../helpers'
+
+function ensureUserHasRight (userRight: UserRight) {
+ return function (req: express.Request, res: express.Response, next: express.NextFunction) {
+ const user: UserInstance = res.locals.oauth.token.user
+ if (user.hasRight(userRight) === false) {
+ logger.info('User %s does not have right %s to access to %s.', user.username, UserRight[userRight], req.path)
+ return res.sendStatus(403)
+ }
+
+ return next()
+ }
+}
+
+// ---------------------------------------------------------------------------
+
+export {
+ ensureUserHasRight
+}
isUserPasswordValid,
isUserVideoQuotaValid,
isUserDisplayNSFWValid,
- isIdOrUUIDValid
+ isIdOrUUIDValid,
+ isUserRoleValid
} from '../../helpers'
import { UserInstance, VideoInstance } from '../../models'
body('password').custom(isUserPasswordValid).withMessage('Should have a valid password'),
body('email').isEmail().withMessage('Should have a valid email'),
body('videoQuota').custom(isUserVideoQuotaValid).withMessage('Should have a valid user quota'),
+ body('role').custom(isUserRoleValid).withMessage('Should have a valid role'),
(req: express.Request, res: express.Response, next: express.NextFunction) => {
logger.debug('Checking usersAdd parameters', { parameters: req.body })
param('id').isInt().not().isEmpty().withMessage('Should have a valid id'),
body('email').optional().isEmail().withMessage('Should have a valid email attribute'),
body('videoQuota').optional().custom(isUserVideoQuotaValid).withMessage('Should have a valid user quota'),
+ body('role').optional().custom(isUserRoleValid).withMessage('Should have a valid role'),
(req: express.Request, res: express.Response, next: express.NextFunction) => {
logger.debug('Checking usersUpdate parameters', { parameters: req.body })
checkVideoChannelExists,
checkVideoAuthorExists
} from '../../helpers'
+import { UserInstance } from '../../models'
+import { UserRight } from '../../../shared'
const listVideoAuthorChannelsValidator = [
param('authorId').custom(isIdOrUUIDValid).withMessage('Should have a valid author id'),
// ---------------------------------------------------------------------------
function checkUserCanDeleteVideoChannel (res: express.Response, callback: () => void) {
- const user = res.locals.oauth.token.User
+ const user: UserInstance = res.locals.oauth.token.User
// Retrieve the user who did the request
if (res.locals.videoChannel.isOwned() === false) {
// Check if the user can delete the video channel
// The user can delete it if s/he is an admin
// Or if s/he is the video channel's author
- if (user.isAdmin() === false && res.locals.videoChannel.Author.userId !== user.id) {
+ if (user.hasRight(UserRight.REMOVE_ANY_VIDEO_CHANNEL) === false && res.locals.videoChannel.Author.userId !== user.id) {
return res.status(403)
.json({ error: 'Cannot remove video channel of another user' })
.end()
checkVideoExists,
isIdValid
} from '../../helpers'
+import { UserRight } from '../../../shared'
const videosAddValidator = [
body('videofile').custom((value, { req }) => isVideoFile(req.files)).withMessage(
// Check if the user can delete the video
// The user can delete it if s/he is an admin
// Or if s/he is the video's author
- if (user.isAdmin() === false && res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
+ if (user.hasRight(UserRight.REMOVE_ANY_VIDEO) === false && res.locals.video.Author.userId !== res.locals.oauth.token.User.id) {
return res.status(403)
.json({ error: 'Cannot remove video of another user' })
.end()
// Don't use barrel, import just what we need
import { User as FormattedUser } from '../../../shared/models/users/user.model'
-import { UserRole } from '../../../shared/models/users/user-role.type'
import { ResultList } from '../../../shared/models/result-list.model'
import { AuthorInstance } from '../video/author-interface'
+import { UserRight } from '../../../shared/models/users/user-right.enum'
+import { UserRole } from '../../../shared/models/users/user-role'
export namespace UserMethods {
+ export type HasRight = (this: UserInstance, right: UserRight) => boolean
export type IsPasswordMatch = (this: UserInstance, password: string) => Promise<boolean>
export type ToFormattedJSON = (this: UserInstance) => FormattedUser
- export type IsAdmin = (this: UserInstance) => boolean
export type IsAbleToUploadVideo = (this: UserInstance, videoFile: Express.Multer.File) => Promise<boolean>
export type CountTotal = () => Promise<number>
export interface UserClass {
isPasswordMatch: UserMethods.IsPasswordMatch,
toFormattedJSON: UserMethods.ToFormattedJSON,
- isAdmin: UserMethods.IsAdmin,
+ hasRight: UserMethods.HasRight,
isAbleToUploadVideo: UserMethods.IsAbleToUploadVideo,
countTotal: UserMethods.CountTotal,
isPasswordMatch: UserMethods.IsPasswordMatch
toFormattedJSON: UserMethods.ToFormattedJSON
- isAdmin: UserMethods.IsAdmin
+ hasRight: UserMethods.HasRight
}
export interface UserModel extends UserClass, Sequelize.Model<UserInstance, UserAttributes> {}
-import { values } from 'lodash'
import * as Sequelize from 'sequelize'
import * as Promise from 'bluebird'
import { getSort } from '../utils'
-import { USER_ROLES } from '../../initializers'
import {
cryptPassword,
comparePassword,
isUserPasswordValid,
isUserUsernameValid,
isUserDisplayNSFWValid,
- isUserVideoQuotaValid
+ isUserVideoQuotaValid,
+ isUserRoleValid
} from '../../helpers'
+import { UserRight, USER_ROLE_LABELS, hasUserRight } from '../../../shared'
import { addMethodsToModel } from '../utils'
import {
let User: Sequelize.Model<UserInstance, UserAttributes>
let isPasswordMatch: UserMethods.IsPasswordMatch
+let hasRight: UserMethods.HasRight
let toFormattedJSON: UserMethods.ToFormattedJSON
-let isAdmin: UserMethods.IsAdmin
let countTotal: UserMethods.CountTotal
let getByUsername: UserMethods.GetByUsername
let listForApi: UserMethods.ListForApi
}
},
role: {
- type: DataTypes.ENUM(values(USER_ROLES)),
- allowNull: false
+ type: DataTypes.INTEGER,
+ allowNull: false,
+ validate: {
+ roleValid: value => {
+ const res = isUserRoleValid(value)
+ if (res === false) throw new Error('Role is not valid.')
+ }
+ }
},
videoQuota: {
type: DataTypes.BIGINT,
loadByUsernameOrEmail
]
const instanceMethods = [
+ hasRight,
isPasswordMatch,
toFormattedJSON,
- isAdmin,
isAbleToUploadVideo
]
addMethodsToModel(User, classMethods, instanceMethods)
// ------------------------------ METHODS ------------------------------
+hasRight = function (this: UserInstance, right: UserRight) {
+ return hasUserRight(this.role, right)
+}
+
isPasswordMatch = function (this: UserInstance, password: string) {
return comparePassword(password, this.password)
}
email: this.email,
displayNSFW: this.displayNSFW,
role: this.role,
+ roleLabel: USER_ROLE_LABELS[this.role],
videoQuota: this.videoQuota,
createdAt: this.createdAt,
author: {
return json
}
-isAdmin = function (this: UserInstance) {
- return this.role === USER_ROLES.ADMIN
-}
-
isAbleToUploadVideo = function (this: UserInstance, videoFile: Express.Multer.File) {
if (this.videoQuota === -1) return Promise.resolve(true)
export * from './user-refresh-token.model'
export * from './user-update.model'
export * from './user-update-me.model'
-export * from './user-role.type'
+export * from './user-right.enum'
+export * from './user-role'
+import { UserRole } from './user-role'
+
export interface UserCreate {
username: string
password: string
email: string
videoQuota: number
+ role: UserRole
}
--- /dev/null
+export enum UserRight {
+ ALL,
+ MANAGE_USERS,
+ MANAGE_PODS,
+ MANAGE_VIDEO_ABUSES,
+ MANAGE_REQUEST_SCHEDULERS,
+ MANAGE_VIDEO_BLACKLIST,
+ REMOVE_ANY_VIDEO,
+ REMOVE_ANY_VIDEO_CHANNEL,
+}
--- /dev/null
+import { UserRight } from './user-right.enum'
+
+// Keep the order
+export enum UserRole {
+ ADMINISTRATOR = 0,
+ MODERATOR = 1,
+ USER = 2
+}
+
+export const USER_ROLE_LABELS = {
+ [UserRole.USER]: 'User',
+ [UserRole.MODERATOR]: 'Moderator',
+ [UserRole.ADMINISTRATOR]: 'Administrator'
+}
+
+// TODO: use UserRole for key once https://github.com/Microsoft/TypeScript/issues/13042 is fixed
+const userRoleRights: { [ id: number ]: UserRight[] } = {
+ [UserRole.ADMINISTRATOR]: [
+ UserRight.ALL
+ ],
+
+ [UserRole.MODERATOR]: [
+ UserRight.MANAGE_VIDEO_BLACKLIST,
+ UserRight.MANAGE_VIDEO_ABUSES,
+ UserRight.REMOVE_ANY_VIDEO,
+ UserRight.REMOVE_ANY_VIDEO_CHANNEL
+ ],
+
+ [UserRole.USER]: []
+}
+
+export function hasUserRight (userRole: UserRole, userRight: UserRight) {
+ const userRights = userRoleRights[userRole]
+
+ return userRights.indexOf(UserRight.ALL) !== -1 || userRights.indexOf(userRight) !== -1
+}
+++ /dev/null
-export type UserRole = 'admin' | 'user'
+import { UserRole } from './user-role'
+
export interface UserUpdate {
email?: string
videoQuota?: number
+ role?: UserRole
}
-import { UserRole } from './user-role.type'
import { VideoChannel } from '../videos/video-channel.model'
+import { UserRole } from './user-role'
export interface User {
id: number
projects / oweals / peertube.git / commitdiff